srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-15
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-18
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-20
Updated for upstream ddd786e4 (2010-03-18)
Updated in 0.2.20100524-1
* policy/modules/system/init.te: Allow /etc/network/if-up.d/mountnfs to
create /var/run/network/mountnfs as a poor mans lock.
Allow mount to creare a file /lib/init/rw/.ramfs
These are changes from Russell Coker, and include a better way of
handling /lib/init/rw.
* policy/modules/kernel/devices.if: Allow reading and writing tmpfs files
while relabelling
* policy/modules/kernel/filesystem.if: Added interface
fs_allow_tmpfs_file_read to allow reading tmpfs files
* policy/modules/system/init.te: Major changes. Pull thing out of gentoo
and redhat policies, seed udev /dev, handle /lib/init/rw/.ramfs,
Index: policy/modules/kernel/devices.if
===================================================================
--- policy/modules/kernel/devices.if.orig
+++ policy/modules/kernel/devices.if
@@ -140,7 +140,7 @@
interface(`dev_relabel_all_dev_nodes',`
gen_require(`
attribute device_node;
- type device_t;
+ type device_t, tmpfs_t;
')
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -150,6 +150,7 @@
relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
+ allow $1 tmpfs_t:chr_file { read write };
')
########################################
Index: policy/modules/kernel/filesystem.if
===================================================================
--- policy/modules/kernel/filesystem.if.orig
+++ policy/modules/kernel/filesystem.if
@@ -4064,6 +4064,24 @@
########################################
##
+## Allow reading tmpfs files
+##
+##
+##
+## Domain to read files
+##
+##
+#
+interface(`fs_allow_tmpfs_file_read',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file read;
+')
+
+########################################
+##
## Create, read, write, and delete
## auto moutpoints.
##
Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -178,6 +178,11 @@
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
+ifdef(`distro_debian',`
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+')
+
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
',`
@@ -425,6 +430,18 @@
storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
+
+ selinux_get_fs_mount(init_t)
+
+ # for /lib/init/rw/.ramfs
+ fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
+ # for progress_state which is created by the initramfs
+ fs_allow_tmpfs_file_read(initrc_t)
+
+ # /etc/network/if-up.d/mountnfs wants to mkdir
+ # /var/run/network/mountnfs as a poor mans lock
+ allow initrc_t var_run_t:dir create;
')
ifdef(`distro_gentoo',`
@@ -434,13 +451,11 @@
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
- dev_create_generic_dirs(initrc_t)
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
# with /dev/.rcboot to decide if we are in
# early init
- dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
# allow bootmisc to create /var/lock/.keep.